Age | Commit message (Collapse) | Author |
|
If a firewall is not configured there is no reason to get and
execute telegraf firewall custom scripts as there are no nft
chain in the firewall nftables configuration
(cherry picked from commit ebff0c481907ac0c2c0be9981c3c3d87caf3003b)
|
|
Add Loki plugin to telegraf
set service monitoring telegraf loki url xxx
(cherry picked from commit 3365eb7ab99fa9a259fe440eb51e82fc0a0a4dc6)
|
|
T751: Remove ids suricata
|
|
T3202: Enable wireguard debug messages (backport #3679)
|
|
snmp: T6489: use new Python wrapper to interact with config filesystem (backport #3694)
|
|
filesystem
(cherry picked from commit d7a18a3da949bfa3df89661cc0871e8f23b18a10)
|
|
(cherry picked from commit e1a34e661d3e5f0090550796ac266dac15e1e337)
|
|
my_set/my_delete
(cherry picked from commit da29c9b3ab7b0cc23d64c8b033fc5a79c1b09174)
|
|
Do no longer use my_set and my_delete as this prevents scripts beeing run under
supervision of vyos-configd.
(cherry picked from commit 7e0e8101998a6c8de6cb93c42bfbf1278c13f226)
|
|
(cherry picked from commit 9495f904fcc157521ca001ee21cf31be28a6b3a0)
|
|
(cherry picked from commit d818788932e3c57d020cca9236df7275da452fce)
|
|
(cherry picked from commit c0b2693cebc3429e1974a9cec5946fa88ffc0205)
|
|
Add possibility to provide a full CA chain to the openconnect server.
* Support multiple CA certificates
* For every CA certificate specified, always determine the full certificate
chain in the background and add the necessary SSL certificates
(cherry picked from commit 973f06c00b902c43dfea34bdf01bdec7c599c452)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
|
|
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added
a print() statement which notified the users about the subsystems which got
supplied with an updated certificate.
Example:
> PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0
> PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1
This is an informational message which should maybe (if needed) be sent to
syslog. But the main issue is that CLI paths are mangled (- to _) which makes
the about print output wrong and could potentially confuse users.
Statement has been commented to be re-enabled for debugging.
(cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
openvpn: T5487: Remove deprecated option --cipher for server and client mode
|
|
|
|
T6442: CGNAT add log for address allocation
|
|
vyos.utils: T5195: import vyos.cpu to this package
|
|
Add the configuration command to log current CGNAT allocation
set nat cgnat log-allocation
|
|
|
|
|
|
|
|
The intention of vyos.utils package is to have a common ground for repeating
actions/helpers. This is also true for number of CPUs and their respective
core count.
Move vyos.cpu to vyos.utils.cpu
|
|
pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s)
|
|
firewall: T3900: T6394: remove unused import
|
|
The haproxy reverse proxy was not reloaded/restarted with the new SSL
certificate(s) after a change in the PKI subsystem. This was due to missing
dependencies.
|
|
With commit 770edf016838 ("T3900: T6394: extend functionalities in firewall;
move netfilter sysctl timeout parameters defined in conntrack to firewall
global-opton section.") the import of the glob module is no longer
required.
Found my running: make unused-imports
|
|
|
|
Fix external address/port allocation for CGN.
It fixes some cases where external address/ports can be allocated again
to another user.
|
|
T3900: Add support for raw tables in firewall
|
|
timeout parameters defined in conntrack to firewall global-opton section.
|
|
nat64: T6403: validate source prefix for RFC compliance
|
|
|
|
|
|
Simplest fix is to comply with RFC6052. The code change is just masking
out the relevant bits and ensuring they're zeroed.
|
|
Unset params would mistakenly match when None and trigger a validation error even when used params were unique.
Updated check to ensure unique source-addresses if not None, and that (source-interfaces, source-addresses) are
unique together appropriately.
|
|
dns: T6422: allow multiple redundant NS records
|
|
added new syntax to work with class match filters in QoS policy
|
|
style fixes
|
|
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported.
|
|
reverse-proxy: T6419: build full CA chain when verifying backend server
|
|
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function
from the Python module.
|
|
|
|
|
|
The code path to handle the ca certificate used for the frontend service
is removed, as there is no way on the XLI to define the CA certificate used
for the frontend service.
|
|
|
|
T6411: CGNAT fix sequences for external address ranges
|
|
openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS
|
|
Fix the bug where address external alocation was not rely on sequences
of the external IP addresses (if set)
|